A new but short-lived variant of the Mirai Internet of Things (Iot) botnet came equipped with something different: a bitcoin miner slave add-on.
While tracking a series of high-volume command injection attacks, IBM researchers detected a website functioning as a malware package archive repository. The site hosted a web console that contained a dropper for Mirai malware. This console also sported a real-time counter of victims it had infected, a Dofloo backdoor, and a Linux shell.
By now, we all know that Mirai excels at two functions: compromising IoT devices and conducting distributed denial-of-service (DDoS) attacks.
It’s therefore no surprise this ELF Linux/Mirai malware variant brute-forced Linux machines via BusyBox. Mirai commonly does its dirty work over Telnet, a protocol used by BusyBox and leveraged by the embedded system applications found in digital video recorder (DVR) servers, routers, VoIP phones, and other “smart” products. Upon infection, each IoT device awaits instructions from Mirai to carry out attacks via flooding tools that use the TCP, UDP and HTTP protocols.
But this malware variant came with something different: a bitcoin miner slave.
Of course, there are lots of things computer criminals can do with the Bitcoin cryptocurrency. And it’s not the first time malware botnets have turned its victims into Bitcoin miners. But those previous cases involved computers. Can IoT devices live up to the demands of such a CPU-intensive activity?
IBM researchers Dave McMillen and Michelle Alvarez reflect on this question in a blog post:
“Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.”
McMillen, Alvarez, and their colleagues first detected this new variant on 20 March. Four days later, the malware peaked before completely dying off after another four days.
IoT malware like Mirai is continually evolving. Acknowledging this trend, consumers and manufacturers need to do more to improve IoT security.
Consumers should change their devices’ default credentials so that malware can’t compromise their “smart things” using password brute-force attacks. At the same time, manufacturers should build security into their products and cooperate with both industry and government actors on developing a set of security standards for IoT devices.
Changing your login credentials on one of these pieces of junk doesn't protect you from anything if the manufacturer built in a telnet port with a fixed password and didn't bother telling any of its customers. This is the equivalent of putting a heavy steel door on the front of the house, and flimsy wooden screen door on the back. Since the manufacturers don't let any of their customers know in advance that such a port exists on their device, we have no way of knowing if we're vulnerable when we buy it. For this reason, I won't have any IoT devices in my house until, by law, they are manufactured verifiably securely.